<div dir="ltr">I have updated the ask page.<div><br></div><div><a href="https://ask.openstack.org/question/1350/how-to-configure-keystone-with-open-ldap-horizon-on-grizzly/">https://ask.openstack.org/question/1350/how-to-configure-keystone-with-open-ldap-horizon-on-grizzly/</a><br>

</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, May 29, 2013 at 8:18 PM, yasith tharindu <span dir="ltr"><<a href="mailto:yasithucsc@gmail.com" target="_blank">yasithucsc@gmail.com</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div style="font-family:arial,sans-serif;font-size:13px">Now my authentication phase is right through ldap i guess. But Im getting a error when try to login saying "<span style="background-color:rgb(242,222,222);color:rgb(185,74,72);font-family:'Helvetica Neue',Helvetica,Arial,sans-serif;line-height:18px">You are not authorized for any projects."</span></div>

<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">My <span>ldap</span> configurations have been used by the keystone it seems. keystone command gives following results.</div>

<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px"><div>root@ubuntu:/home/wso2/<span>ldap</span>#<b> keystone user-list</b></div>

<div>WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).</div><div>+------+------+---------+------------------+</div><div>|  id  | name | enabled |      email       |</div>

<div>+------+------+---------+------------------+</div><div>| demo | demo |   True  | <a href="mailto:demo@example.com" target="_blank">demo@example.com</a> |</div><div>+------+------+---------+------------------+</div><div>

root@ubuntu:/home/wso2/<span>ldap</span># <b>keystone role-list</b></div><div>WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).</div><div>+-------+-------+</div>

<div>|   id  |  name |</div><div>+-------+-------+</div><div>| admin | Admin |</div><div>+-------+-------+</div><div>root@ubuntu:/home/wso2/<span>ldap</span># <b>keystone tenant-list</b></div><div>WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).</div>

<div>+-------+-------+---------+</div><div>|   id  |  name | enabled |</div><div>+-------+-------+---------+</div><div>| admin | admin |   True  |</div><div>+-------+-------+---------+</div><div><br></div></div><div style="font-family:arial,sans-serif;font-size:13px">

<br></div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">But with nova commands  return a error with the <span>ldap</span> user credentials.</div>

<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">#<b> nova image-list</b></div><div style="font-family:arial,sans-serif;font-size:13px">ERROR: Invalid <span>OpenStack</span> Nova credentials.</div>

<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">System variables I used as follows.</div>

<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px"><div>export OS_USERNAME=demo</div><div>export OS_TENANT_NAME=admin</div><div>export OS_PASSWORD=secret</div>

<div>export OS_AUTH_URL=<a href="http://192.168.1.111:5000/v2.0/" target="_blank">http://192.168.1.111:5000/v2.0/</a></div><div>export OS_REGION_NAME=RegionOne</div><div>export SERVICE_ENDPOINT="<a href="http://192.168.1.111:35357/v2.0" target="_blank">http://192.168.1.111:35357/v2.0</a>"</div>

<div><div>export SERVICE_TOKEN=012345SECRET99TOKEN012345</div><div>export OS_NO_CACHE=1</div></div><div><br></div></div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">

<br></div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">Following is the keystone log..</div><div style="font-family:arial,sans-serif;font-size:13px">

<br></div><div style="font-family:arial,sans-serif;font-size:13px"><div>2013-05-29 02:45:20    DEBUG [keystone.common.<span>ldap</span>.core] <span>LDAP</span> search: dn=ou=Tenants,dc=example,dc=com, scope=2, query=(&(objectClass=organizationalRole)(roleOccupant=cn=demo,ou=Users,dc=example,dc=com)), attrs=None</div>

<div>2013-05-29 02:45:20    DEBUG [keystone.common.wsgi] ******************** RESPONSE HEADERS ********************</div><div>2013-05-29 02:45:20    DEBUG [keystone.common.wsgi] Vary = X-Auth-Token</div><div>2013-05-29 02:45:20    DEBUG [keystone.common.wsgi] Content-Type = application/json</div>

<div>2013-05-29 02:45:20    DEBUG [keystone.common.wsgi] Content-Length = 36</div><div>2013-05-29 02:45:20    DEBUG [keystone.common.wsgi] </div><div>2013-05-29 02:45:20    DEBUG [keystone.common.wsgi] ******************** RESPONSE BODY ********************</div>

<div>2013-05-29 02:45:20    DEBUG [keystone.common.wsgi] {"tenants_links": [], "tenants": []}</div><div>2013-05-29 02:45:20     INFO [access] 127.0.0.1 - - [28/May/2013:21:15:20 +0000] "GET <a href="http://127.0.0.1:5000/v2.0/tenants" target="_blank">http://127.0.0.1:5000/v2.0/tenants</a> HTTP/1.0" 200 36</div>

<div>2013-05-29 02:45:20    DEBUG [eventlet.wsgi.server] 127.0.0.1 - - [29/May/2013 02:45:20] "GET /v2.0/tenants HTTP/1.1" 200 164 0.028584</div><div><br></div></div><div style="font-family:arial,sans-serif;font-size:13px">

<br></div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">And tenant config of keystone as follows;</div><div style="font-family:arial,sans-serif;font-size:13px">

<br></div><div style="font-family:arial,sans-serif;font-size:13px"><div class="im"><div><div>tenant_tree_dn = ou=Tenants,dc=example,dc=com</div><div>tenant_objectclass = groupOfNames</div><div>tenant_id_attribute = cn</div>

<div>

tenant_member_attribute = member</div></div></div><div>tenant_name_attribute = cn</div><div>tenant_domain_id_attribute = businessCategory</div><div>tenant_enabled_attribute = o</div><div class="im"><div><div>tenant_allow_create = True</div>

<div>tenant_allow_update = True</div></div></div><div>tenant_allow_delete = True</div><div>tenant_desc_attribute = description</div><div><br></div><div><br></div><div><br></div><div><b>Any one have any suggestions??</b>  It seems no tanents according to the log "DEBUG [keystone.common.wsgi] {"tenants_links": [], "tenants": []} "</div>

<div>But i have enabled the user in the Tenant <span>ldap</span> group.</div><div><br></div><div><div class="im"><div><div>dn: cn=admin,ou=Tenants,dc=example,dc=com</div><div>objectClass: groupOfNames</div><div>cn: admin</div>

</div></div><div>o: True</div><div>businessCategory: default</div><div class="im"><div><div>description: <span>Openstack</span> admin Tenant</div><div>member: cn=demo,ou=Users,dc=example,dc=com</div><div><br></div></div>

</div></div>

</div><div style="font-family:arial,sans-serif;font-size:13px">Thanks in advance..:)</div></div><div class="gmail_extra"><div><div class="h5"><br><br><div class="gmail_quote">On Mon, May 20, 2013 at 11:24 AM, yasith tharindu <span dir="ltr"><<a href="mailto:yasithucsc@gmail.com" target="_blank">yasithucsc@gmail.com</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><h1 style="margin:0px;padding:0px 0px 5px;border:none;font-family:'PT Sans',serif;color:rgb(102,102,102);line-height:36px">

<font><span style="font-weight:normal">The question is posted on openstack ask page. </span></font><a href="https://ask.openstack.org/question/1350/how-to-configure-keystone-with-open-ldap-horizon-on-grizzly/" target="_blank">https://ask.openstack.org/question/1350/how-to-configure-keystone-with-open-ldap-horizon-on-grizzly/</a></h1>

<div><br></div><div>Error</div><div><pre style="font-family:Menlo,Monaco,'Courier New',monospace;font-size:12.025px;margin-top:0px;margin-bottom:9px;background-color:rgb(245,245,245);padding:8.5px;color:rgb(51,51,51);border-top-left-radius:4px;border-top-right-radius:4px;border-bottom-right-radius:4px;border-bottom-left-radius:4px;line-height:18px;border:1px solid rgba(0,0,0,0.148438);white-space:pre-wrap;word-break:break-all;word-wrap:break-word;clear:both">

2013-05-19 15:21:23    ERROR [root] 'domain_id'

Traceback (most recent call last):

  File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 236, in __call__

    result = method(context, **params)

  File "/usr/lib/python2.7/dist-packages/keystone/token/controllers.py", line 82, in authenticate

    core.validate_auth_info(self, context, user_ref, tenant_ref)

  File "/usr/lib/python2.7/dist-packages/keystone/token/core.py", line 84, in validate_auth_info

    user_ref['domain_id'])

KeyError: 'domain_id'

2013-05-19 15:21:23    DEBUG [keystone.common.wsgi] {"error": {"message": "An unexpected error prevented the server from fulfilling your request. 'domain_id'", "code": 500, "title": "Internal Server Error"}}</pre>

<pre style="font-family:Menlo,Monaco,'Courier New',monospace;font-size:12.025px;margin-top:0px;margin-bottom:9px;background-color:rgb(245,245,245);padding:8.5px;color:rgb(51,51,51);border-top-left-radius:4px;border-top-right-radius:4px;border-bottom-right-radius:4px;border-bottom-left-radius:4px;line-height:18px;border:1px solid rgba(0,0,0,0.148438);white-space:pre-wrap;word-break:break-all;word-wrap:break-word;clear:both">

<pre style="font-family:Menlo,Monaco,'Courier New',monospace;font-size:12.025px;margin-top:0px;margin-bottom:9px;padding:8.5px;border-top-left-radius:4px;border-top-right-radius:4px;border-bottom-right-radius:4px;border-bottom-left-radius:4px;border:1px solid rgba(0,0,0,0.148438);white-space:pre-wrap;word-break:break-all;word-wrap:break-word;clear:both">

Keystone config</pre><pre style="font-family:Menlo,Monaco,'Courier New',monospace;font-size:12.025px;margin-top:0px;margin-bottom:9px;padding:8.5px;border-top-left-radius:4px;border-top-right-radius:4px;border-bottom-right-radius:4px;border-bottom-left-radius:4px;border:1px solid rgba(0,0,0,0.148438);white-space:pre-wrap;word-break:break-all;word-wrap:break-word;clear:both">

==========================================================================

url = ldap://<a href="http://192.168.1.111" target="_blank">192.168.1.111</a>

user = cn=admin,dc=example,dc=com

password = secret

suffix = cn=example,cn=com

use_dumb_member = False

tree_dn = dc=example,dc=com

user_tree_dn = ou=Users,dc=example,dc=com

user_objectclass = inetOrgPerson

user_id_attribute = cn

user_name_attribute = sn

user_pass_attribute = userPassword

user_allow_create = True

user_allow_update = True

user_enabled_attribute = enabled

user_enabled_default = True

user_domain_id_attribute = None

tenant_tree_dn = ou=Tenants,dc=example,dc=com

tenant_objectclass = groupOfNames

tenant_id_attribute = cn

tenant_member_attribute = member

tenant_name_attribute = ou

tenant_domain_id_attribute = None

tenant_allow_create = True

tenant_allow_update = True

role_tree_dn = ou=Roles,dc=example,dc=com

role_objectclass = groupOfNames

role_member_attribute = member

role_id_attribute = cn

role_name_attribute = ou

role_allow_create = True

role_allow_update = True

==============================================</pre><pre style="font-family:Menlo,Monaco,'Courier New',monospace;font-size:12.025px;margin-top:0px;margin-bottom:9px;padding:8.5px;border-top-left-radius:4px;border-top-right-radius:4px;border-bottom-right-radius:4px;border-bottom-left-radius:4px;border:1px solid rgba(0,0,0,0.148438);white-space:pre-wrap;word-break:break-all;word-wrap:break-word;clear:both">

<p style="margin:0px 0px 14px;padding:0px 5px 5px 0px;border:none;font-size:14px;line-height:1.4;font-family:Arial,sans-serif;color:rgb(75,75,75);white-space:normal;background-color:rgb(255,255,255)">ldap config as follows.</p>

<pre style="font-family:Menlo,Monaco,'Courier New',monospace;font-size:12.025px;margin-top:0px;margin-bottom:9px;padding:8.5px;border-top-left-radius:4px;border-top-right-radius:4px;border-bottom-right-radius:4px;border-bottom-left-radius:4px;border:1px solid rgba(0,0,0,0.148438);white-space:pre-wrap;word-break:break-all;word-wrap:break-word;clear:both">

dn: dc=example,dc=com

objectClass: top

objectClass: dcObject

objectClass: organization

o: example Inc

dc: example

dn: cn=admin,dc=example,dc=com

objectClass: simpleSecurityObject

objectClass: organizationalRole

cn: admin

description: LDAP administrator

userPassword:: c2VjcmV0

dn: ou=Users,dc=example,dc=com

ou: users

objectClass: organizationalUnit

structuralObjectClass: organizationalUnit

dn: ou=Roles,dc=example,dc=com

ou: roles

objectClass: organizationalUnit

structuralObjectClass: organizationalUnit

dn: ou=Tenants,dc=example,dc=com

ou: tenants

objectClass: organizationalUnit

dn: cn=demo,ou=Users,dc=example,dc=com

cn: demo

displayName: demo

givenName: demo

mail: <a href="mailto:demo@example.com" target="_blank">demo@example.com</a>

objectClass: inetOrgPerson

objectClass: top

sn: demo

uid: demo

userPassword:: c2VjcmV0

dn: cn=admin,ou=Roles,dc=example,dc=com

objectClass: groupOfNames

cn: admin

description: Openstack admin Role

member: cn=demo,ou=Users,dc=example,dc=com

dn: cn=admin,ou=Tenants,dc=example,dc=com

objectClass: groupOfNames

cn: admin

description: Openstack admin Tenant

member: cn=demo,ou=Users,dc=example,dc=com

</pre><p style="margin:0px 0px 14px;padding:0px 5px 5px 0px;border:none;font-size:14px;line-height:1.4;font-family:Arial,sans-serif;color:rgb(75,75,75);white-space:normal;background-color:rgb(255,255,255)">I would really appreciate your help</p>

</pre></pre></div>

</div>

</blockquote></div><br><br clear="all"><div><br></div></div></div><span class="HOEnZb"><font color="#888888">-- <br>Thanks..<br>Regards...<br><br>Blog: <a href="http://www.yasith.info" target="_blank">http://www.yasith.info</a><br>

Twitter : <a href="http://twitter.com/yasithnd" target="_blank">http://twitter.com/yasithnd</a><br>

LinkedIn : <a href="http://www.linkedin.com/in/yasithnd" target="_blank">http://www.linkedin.com/in/yasithnd</a><br><div>GPG Key ID : <b>57CEE66E</b></div>

</font></span></div>

</blockquote></div><br><br clear="all"><div><br></div>-- <br>Thanks..<br>Regards...<br><br>Blog: <a href="http://www.yasith.info" target="_blank">http://www.yasith.info</a><br>Twitter : <a href="http://twitter.com/yasithnd" target="_blank">http://twitter.com/yasithnd</a><br>

LinkedIn : <a href="http://www.linkedin.com/in/yasithnd" target="_blank">http://www.linkedin.com/in/yasithnd</a><br><div>GPG Key ID : <b>57CEE66E</b></div>

</div>